[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ability to withstand well known attacks (fwd)

To: Barbara Fraser <byfraser@cisco.com>
Subject: Re: Ability to withstand well known attacks (fwd)
From: ericb@digitaljunkyard.net
Date: 31 Jul 2003 23:07:30 +0000
Cc: opsec@ops.ietf.org
In-reply-to: <4.3.2.7.2.20030730151341.02988930@mira-sjc5-4.cisco.com>
References: <4.3.2.7.2.20030730151341.02988930@mira-sjc5-4.cisco.com>
User-agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley)

 "bf" == Barbara Fraser <byfraser@cisco.com> writes:

bf> I think it's very important to clearly state what we're requiring. For
bf> example, we need to clearly describe what sort of attacks. Here are a

Nope, we only have to describe the result of the attacks.  The whole
purpose of this is to cover unknown attacks, new things that have not
been seen before.

bf> number of examples of various styles of flooding attacks. Some are
bf> destined to the device in question while others are transiting through
bf> it.

There is an implicit "... attacks against the device itself" at the
end of the requirement.  Perhaps it should be made explicit.  If your
attack traffic is targeted somewhere else, and transits the device,
this requirement does not apply.  The system is not withstanding
anything, it's merely functioning.

bf> TCP SYN flood to a listening TCP port

If the box falls over, it fails.

bf> Ping flood to an IP address of the device

If you exceed the inbound bandwidth, there is nothing that can be
done, and it's foolish to require vendors to do so.  At this point,
the device must rely on other network components to protect it.  The
capabilities to do so are presented in other requirements.

bf> Process/connection exhaustion attack to a listening TCP port on the device

This is in the same bin as SYN flood.

bf> Transit SYN flood via the target device to a responsive device beyond
bf> the target.

Not "withstanding".  It's the device's JOB to forward those SYN
packets.

bf> Wire-rate transit flood of ICMP echo requests via the target device to
bf> an unresponsive device.

Same as above.

If I attack the device, either directly with a flood or crafted packet
attack, or indirectly by asking it to transit malformed packets that
it cannot decode safely, it must not fall over.  

The laws of physics (information theory?  data transmission?) prevent
us from doing anything locally to mitigate bandwidth exhaustion
attacks, so they are an exception to this requirement.

ericb

Follow-Ups:
- Re: Ability to withstand well known attacks (fwd)
  - From: Dan Hollis <goemon@anime.net>

References:
- Re: Ability to withstand well known attacks (fwd)
  - From: Barbara Fraser <byfraser@cisco.com>

Prev by Date: Re: Dropping stealthing from opsec; Anyone for a little I>R<TF wo rk ?
Next by Date: Re: Ability to withstand well known attacks (fwd)
Previous by thread: Re: Ability to withstand well known attacks (fwd)
Next by thread: Re: Ability to withstand well known attacks (fwd)
Index(es):
- Date
- Thread